Merge pull request #9640 from mshitrit/skip-ssl-verification

openshift-merge-bot[bot] · web-flow · commit 05ef79770d1e · 2025-05-06T03:21:25.000Z
OCPEDGE-1707: Add Disable Certificate Verification API
diff --git a/data/data/install.openshift.io_installconfigs.yaml b/data/data/install.openshift.io_installconfigs.yaml
@@ -71,6 +71,15 @@ spec:
                       properties:
                         address:
                           type: string
+                        certificateVerification:
+                          default: Enabled
+                          description: |-
+                            CertificateVerification Defines whether ssl certificate verification is required or not.
+                            If omitted, the platform chooses a default, that default is enabled.
+                          enum:
+                          - Enabled
+                          - Disabled
+                          type: string
                         hostName:
                           type: string
                         password:
@@ -1384,6 +1393,15 @@ spec:
                         properties:
                           address:
                             type: string
+                          certificateVerification:
+                            default: Enabled
+                            description: |-
+                              CertificateVerification Defines whether ssl certificate verification is required or not.
+                              If omitted, the platform chooses a default, that default is enabled.
+                            enum:
+                            - Enabled
+                            - Disabled
+                            type: string
                           hostName:
                             type: string
                           password:
@@ -2636,6 +2654,15 @@ spec:
                       properties:
                         address:
                           type: string
+                        certificateVerification:
+                          default: Enabled
+                          description: |-
+                            CertificateVerification Defines whether ssl certificate verification is required or not.
+                            If omitted, the platform chooses a default, that default is enabled.
+                          enum:
+                          - Enabled
+                          - Disabled
+                          type: string
                         hostName:
                           type: string
                         password:
diff --git a/pkg/types/machinepools.go b/pkg/types/machinepools.go
@@ -158,10 +158,26 @@ type Fencing struct {
 	Credentials []*Credential `json:"credentials,omitempty"`
 }
 
+// CertificateVerificationPolicy represents the options for CertificateVerification .
+type CertificateVerificationPolicy string
+
+const (
+	// CertificateVerificationEnabled enables ssl certificate verification.
+	CertificateVerificationEnabled CertificateVerificationPolicy = "Enabled"
+	// CertificateVerificationDisabled disables ssl certificate verification.
+	CertificateVerificationDisabled CertificateVerificationPolicy = "Disabled"
+)
+
 // Credential stores the information about a baremetal host's management controller.
 type Credential struct {
 	HostName string `json:"hostName,omitempty" validate:"required,uniqueField"`
 	Username string `json:"username" validate:"required"`
 	Password string `json:"password" validate:"required"`
 	Address  string `json:"address" validate:"required,uniqueField"`
+	// CertificateVerification Defines whether ssl certificate verification is required or not.
+	// If omitted, the platform chooses a default, that default is enabled.
+	// +kubebuilder:default:="Enabled"
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +optional
+	CertificateVerification CertificateVerificationPolicy `json:"certificateVerification,omitempty"`
 }
diff --git a/pkg/types/validation/installconfig_test.go b/pkg/types/validation/installconfig_test.go
@@ -2822,6 +2822,16 @@ func TestValidateTNF(t *testing.T) {
 			name:     "valid_two_credentials",
 			expected: "",
 		},
+		{
+			config: installConfig().
+				PlatformBMWithHosts().
+				MachinePoolCP(machinePool().
+					Credential(c1().CertificateVerification(types.CertificateVerificationDisabled), c2())).
+				CpReplicas(2).
+				build(),
+			name:     "valid_with_disabled_cert_verification",
+			expected: "",
+		},
 		{
 			config: installConfig().
 				MachinePoolCP(machinePool().
@@ -3017,6 +3027,11 @@ func (hb *credentialBuilder) BMCPassword(value string) *credentialBuilder {
 	return hb
 }
 
+func (hb *credentialBuilder) CertificateVerification(value types.CertificateVerificationPolicy) *credentialBuilder {
+	hb.Credential.CertificateVerification = value
+	return hb
+}
+
 type machinePoolBuilder struct {
 	types.MachinePool
 }
